Security firm Trend Micro has uncovered evidence that Israel has been on the receiving end of at least two targeted malware campaigns in recent times, one sophisticated the other anything but. Both suggest increased determination and improving interest, the firm said.
Dubbed ‘Operation Arid Viper’ and ‘Advtravel’, a relative lack of sophistication didn't mean that they hadn't achieved a degree of success against targets including a government office, the Israeli military, transport, Kuwaiti academics and a number of unnamed Israeli citizens and bloggers, Trend said.
Even the crude and sometimes careless Advtravel campaign had managed to infect around 500 victims, mostly personal laptops belonging to Egyptians in addition to Israelis.
Apart from the personal targeting, the ambitious nature of the command and control is probably the striking characteristic of the attacks, which in the case of Arid Viper started operation in mid-2013. Advtravel dated from about a year later.
The mechanism of attack was standard booby-trapped attachments in phishing emails with the same basic malware being used over and over even as the infrastructure was updated. The motivation was simply to steal information, possibly in Advtravel's case including compromising images that could be used as part of blackmail campaigns, Trend Micro said.
The Advtravel attackers will read Trend Micro’s analysis of their handiwork with some interest, starting with the number of schoolboy configuration errors that made disrupting the command and control easier than it should have been.
Perhaps the worst mistake of all was that Trend managed to trace several individuals who had registered Advtravel C&C servers – Trend even names some of these people and their geographical location.
The firm even speculates on the possible creator of the Advtravel malware right down to screenshots taken of it as he debugged the software on a virtual server. They also traced the hapless hacker's Facebook page.
Either these hackers are incredibly inexperienced beginners or they just don’t care who identifies them.
There seems little doubt, then, that the people behind these attacks are Palestinian, possibly connected to the Gaza Hacker Team responsible for a series of website defacements.
“While the two campaigns shared infrastructure, their tactics could not be further apart. Operation Arid Viper is a sophisticated campaign targeting key individuals in organizations in order to exfiltrate sensitive data. Its C&C servers were, in fact, closely locked down,“ said Trend Micro’s researchers.
“Advtravel, on the other hand, looks very much like the work of less-skilled cybercriminals who appeared to be motivated neither by financial gain nor conducting espionage. Instead, they look like a classic group of beginner hackers just starting their careers.”
In recent years, Israel’s main cyber-foe has been Iran so the uptick in Palestinian malware will be seen as a small but still noteworthy threat.